On Fri, Oct 09, 2009 at 09:41:32PM -, Graham Leggett wrote:
> --- httpd/httpd/trunk/modules/dav/main/mod_dav.h (original)
> +++ httpd/httpd/trunk/modules/dav/main/mod_dav.h Fri Oct 9 21:41:31 2009
> @@ -1940,6 +1940,12 @@
> ** then this field may be used. In most cases, it will just be NU
On Wed, Sep 16, 2009 at 01:38:50PM +0100, Dr Stephen Henson wrote:
> I may have missed something here but the OCSP stapling code doesn't appear to
> be
> in trunk. The patch in:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=43822
>
> doesn't apply cleanly any more, though the changes ne
On Wed, Sep 16, 2009 at 10:09:23AM +0300, Jari Urpalainen wrote:
> I'll assume that you don't need here the content which is included
> within mod_dav_acl package at sf.net ? Otherwise you are certainly free
> to use it anyways you like. Patch contains mostly some "hooks" to
> mod_dav, but since i'
On Mon, Sep 14, 2009 at 10:11:24AM -0400, Brian J. France wrote:
> I would like to get some form of mod_dav_acl[1] added to httpd. My end
> goal with all of this is to get a mod_caldav and mod_cardav accepted down
> the line or at least be able to build the module with out hacking the
> core ht
On Mon, Sep 14, 2009 at 09:04:08PM +0200, Ruediger Pluem wrote:
> On 09/14/2009 04:16 PM, jor...@apache.org wrote:
> > +/* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
> > + * can be any character in ASCII from 33-126, obscurely. Verify
> > + * the syntax. */
> > +
On Sat, Sep 12, 2009 at 10:43:29PM +0200, Stefan Fritsch wrote:
> On Fri, 11 Sep 2009, Joe Orton wrote:
>> +char *p = ap_strchr(reply, '('), *ep, *term;
>> +long port;
>> +
>> +/* Reply syntax per RFC 2428: "229 blah blah (|||port|)" whe
On Fri, Sep 11, 2009 at 10:51:11PM +0200, Ruediger Pluem wrote:
> On 09/11/2009 04:52 PM, Joe Orton wrote:
> > On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
> >> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095
> >> there is o
On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
> The (untested) patch below should fix CVE-2009-3094. For CVE-2009-3095
> there is only little information. But looking at the code, it seems
> the username and password sent by the browser are sent to the ftp
> server without sani
On Thu, Sep 10, 2009 at 07:02:01PM +0200, Stefan Fritsch wrote:
> in case you haven't noticed yet, some new mod_proxy_ftp issues have
> been reported:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
>
> The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
> mod_
On Wed, Sep 09, 2009 at 10:22:28PM +0200, Peter Sylvester wrote:
> The patch for 724717 moves some logic from ssl_engine_kernel into
> ssl__engine_vars and simplifies the code (and enhances it btw).
> Can this code be backported to the 2.2.x version
Have you done any testing on that? I hadn't don
On Sun, Aug 23, 2009 at 08:30:47PM -, n...@apache.org wrote:
> Author: niq
> Date: Sun Aug 23 20:30:47 2009
> New Revision: 807015
>
> URL: http://svn.apache.org/viewvc?rev=807015&view=rev
> Log:
> Preserve port over internal redirection
> PR#35999
> A four-year-old buglet!
Please, please, pl
CC'ing d...@.
On Tue, Aug 18, 2009 at 09:26:24PM +0100, Alex Stapleton wrote:
> First some background. We use Apache HTTPD 2.0 over a high-latency,
> high packet loss GPRS WAN. The cost per byte is tangible. We use SSL.
> We also use Transfer-Encoding: chunked sometimes. This is a machine
> monito
On Mon, Aug 03, 2009 at 01:09:35PM +0200, Ruediger Pluem wrote:
> On 08/03/2009 12:52 PM, Joe Orton wrote:
> > On Tue, Jul 28, 2009 at 07:35:25PM +0200, Stefan Fritsch wrote:
> >> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
> >> report [1] about
On Tue, Jul 28, 2009 at 07:35:25PM +0200, Stefan Fritsch wrote:
> Hi,
>
> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
> report [1] about segfaults with mod_deflate and mod_php (5.2.0). As
> far as I understand it, the reason is that mod_php uses ap_rwrite
> which creates t
On Wed, Jul 15, 2009 at 11:03:24AM +0200, "Plüm, Rüdiger, VF-Group" wrote:
> > I'm confused. Why do this check so late, and why does r->bytes_sent
> > matter? Why does it "screw up the protocol" if the DEFLATE
>
> All depends on the first brigade that passes mod_deflate. If this brigade
> cont
On Tue, Jul 14, 2009 at 05:47:16PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
>
>
> > -Original Message-
> > From: William A. Rowe, Jr.
> > Sent: Montag, 13. Juli 2009 23:58
> > To: dev@httpd.apache.org
> > Subject: Re: mod_deflate DoS using HEAD
> >
> > Nick Kew wrote:
> > > Eric Covener
On Thu, Jul 09, 2009 at 09:48:29AM -0400, Dan Poirier wrote:
> So if the content-length was parsed correctly, but the vulnerability
> related to additional data wasn't fixed, this test would still pass?
> (Since then we're not sending any more data than expected?)
That is phrased almost as if ther
ck against mod_deflate or other
> > modules, by forcing the server to consume CPU time in compressing a
> > large file after a client disconnects. [Joe Orton, Ruediger Pluem]
>
> One of the patches was for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=39605, although tha
configuration, where a remote attacker can force a
>> + proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
>
> I thought in this instance, the original reporter's diagnostic
> work contributed more to the patch than we did. I think he
> should be credited
On Sun, Jun 28, 2009 at 08:20:20PM +0200, Stefan Fritsch wrote:
> we have received a bug report [1] that a DoS is possible with
> mod_deflate since it does not stop to compress large files even after
> the network connection has been closed. This allows to use large
> amounts of CPU if there is
On Thu, Jul 02, 2009 at 01:37:22PM +0100, Nick Kew wrote:
> Joe Orton wrote:
>
>> 1) A *linear-time* search on a shm segment, using strstr.
> > 2) ... for each new connection.
>
> With the expectation that the shm segment normally has strlen
> of zero, and even under
On Fri, Jun 26, 2009 at 03:55:27PM +0200, Natanael Mignon - michael-wessel.de
wrote:
> I am currently working on - dirty, please have mercy - customizations
> of mod_ssl and especially OCSP-handling for a specific project (on
> basis of Apache 2.3 code). As I am neither a seasoned C-coder nor
>
On Wed, Jul 01, 2009 at 03:01:55PM -, n...@apache.org wrote:
> Author: niq
> Date: Wed Jul 1 15:01:55 2009
> New Revision: 790205
>
> URL: http://svn.apache.org/viewvc?rev=790205&view=rev
> Log:
> mod_noloris just moved from discussion to attracting its first patch
> on d...@. That means it
On Mon, Jun 22, 2009 at 09:48:46PM -0700, Paul Querna wrote:
> On Sun, Jun 21, 2009 at 4:10 AM, Andreas Krennmair wrote:
> > Hello everyone,
> .
> > The basic principle is that the timeout for new connections is adjusted
> > according to the current load on the Apache instance: a load percentag
On Thu, Jun 11, 2009 at 09:46:39AM -0400, Dan Poirier wrote:
> I was looking at mod_auth_digest and bug 16057. Currently the shared
> memory code in that module is disabled, and it turns out that has
> effects throughout the module, such as disabling all client tracking,
> nonce-count checking, MD
On Mon, Jun 01, 2009 at 10:22:45AM -0700, Jeff Trawick wrote:
> On Mon, Jun 1, 2009 at 7:30 AM, Stefan Fritsch wrote:
> > The interesting test file in mod_perls source is ./t/response/TestAPI/
> > add_config.pm.
> >
> > It looks like the test sets "Options ExecCGI" and expects $r->allow_options
>
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the
deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail
inline for reference of dev@ readers)
On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
>mod_ssl can perform client authentication
On Mon, May 25, 2009 at 12:03:23PM -0400, Jeff Trawick wrote:
> I'm fine with your patch plus a bit of commentary in ap_allow_options().
Proposed patch as below:
Index: modules/filters/mod_include.c
===
--- modules/filters/mod_includ
On Fri, May 22, 2009 at 05:12:31PM -0400, Jeff Trawick wrote:
> (untested)
>
> ap_allow_options() is how applications, including our mod_include, access
> the enabled options for a given request (other than evil apps which define
> CORE_PRIVATE and locate the core_dir_config). As this is a callab
On Fri, May 22, 2009 at 05:26:07PM +0100, Joe Orton wrote:
> Attaching my original analysis for security@ which hopefully answers
> that question ;)
attempt 2
I've now had a deeper look into this. I can't see a way to fix the
problem without changing the semantics of the OPT_
On Thu, May 21, 2009 at 02:39:57PM -0400, Jeff Trawick wrote:
> On Wed, May 20, 2009 at 8:53 AM, Joe Orton wrote:
> > Given that the semantics of the options has changed, I don't think it's
> > worth changing httpd to maintain any pretence of compile-time or
> > ru
On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
> On Tue, May 12, 2009 at 9:17 AM, wrote:
>
> > Author: covener
> > Date: Tue May 12 13:17:29 2009
> > New Revision: 773881
> >
> > URL: http://svn.apache.org/viewvc?rev=773881&view=rev
> > Log:
> > backport 772997, 773322, 773342 from
mod_rewrite creates a global mutex and serializes writes to the log file
(if one is configured).
Maybe I'm being stupid here, but why is that? It seems to be
superfluous - it uses a single apr_file_write() to write a log entry, so
operates under exactly the same atomicity assumptions as mod_lo
On Thu, May 14, 2009 at 04:23:22PM -0700, Chris Darroch wrote:
> However, note that any choices we make here also, I believe,
> impacts the socache API, which has identical issues around data
> consistency in multi-process/multi-thread contexts. Personally
> I'd love to see these two APIs be as
On Thu, May 14, 2009 at 12:51:18PM +0200, Rainer Jung wrote:
> On 13.05.2009 22:38, William A. Rowe, Jr. wrote:
> > Please revert the introduction of a _wrapper struct and let's simply
> > fix the piped_log structure?
>
> Do we really want to add it to the public API?
There's no need for that str
On Mon, May 11, 2009 at 11:56:42AM -0400, Jeff Trawick wrote:
> Currently, starting httpd as non-root with mod_fcgid loaded fails unless
> User/Group are set to the active User/Group. Normally, httpd modules don't
> try to set ownership of objects to the specified User/Group unless starting
> as r
On Sun, May 10, 2009 at 12:32:44PM +0200, Ruediger Pluem wrote:
> On 05/10/2009 12:26 AM, Eric Covener wrote:
> > On Sat, May 9, 2009 at 5:55 PM, Ruediger Pluem wrote:
> >> --- server/core.c (Revision 773105)
> >> +++ server/core.c (Arbeitskopie)
> >> @@ -242,8 +242,9 @@
> >> /
On Tue, Apr 28, 2009 at 02:48:52PM +0100, Joe Orton wrote:
> 5) I'll post an updated patch soon which fixes the behaviour of "Options
> Includes"/"Options +IncludesNoExec" such that SSI is permitted without
> exec, as is the current 2.2.x behaviour, since that
On Wed, May 06, 2009 at 02:54:59PM -0500, William Rowe wrote:
> Plüm, Rüdiger, VF-Group wrote:
> >
> > This causes trunk to fail compilation with:
> >
> > make[1]: *** No rule to make target `modules/mappers/libmod_so.la', needed
> > by `httpd'. Stop.
> > make: *** [all-recursive] Error 1
>
>
Thanks for all the feedback so far. I've added in tests of combinations
using negative options in .htaccess, bringing the test matrix to a
glorious size of 3 x 4 x 10 = 120 entries: this page gives before/after
results with 2.2.x vanilla and the patch I posted previously:
http://people.apach
On Wed, Apr 01, 2009 at 12:07:49PM -, rpl...@apache.org wrote:
> Author: rpluem
> Date: Wed Apr 1 12:07:47 2009
> New Revision: 760866
>
> URL: http://svn.apache.org/viewvc?rev=760866&view=rev
> Log:
...
> +if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
> +apr_
A security issue in the handling of the Includes and IncludesNoExec
directives was reported recently, and I'm after some help.
The security issues are as follows:
a) If "AllowOverride Options=IncludesNoEXEC" is configured in
httpd.conf, a user can put "Options Includes" in an .htaccess
fi
On Wed, Apr 08, 2009 at 09:09:14AM +0100, Nick Kew wrote:
>
> On 8 Apr 2009, at 08:32, Joe Orton wrote:
>
>> So I'm not sure that it's worthwhile. Having said that, it seems a
>> lot more worthwhile than the mod_privileges approach in the trunk,
>> which s
On Wed, Apr 08, 2009 at 10:38:52AM +0900, KaiGai Kohei wrote:
> I've posted my idea to improve web-application security a few times
> however, it could not interest folks unfortunatelly. :(
> So, I would like to offer another approach for the purpose.
> The attached patch is a proof of the concept
On Tue, Apr 07, 2009 at 01:29:20PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
...
> I think the reason for this behaviour is the following:
>
> 1. The subrequest created by mod_dir uses a subpool of r->pool for its
> allocations.
> 2. ap_internal_fast_redirect uses the data allocated out of this sub
On Mon, Mar 23, 2009 at 05:45:08PM +0100, Ruediger Pluem wrote:
> It turned out that changing the c->base_server in the SNI callback has some
> flaws. So the following patch stores the correct server_rec in the connection
> record configuration and adjusts the remaining part of mod_ssl to use this
On Thu, Mar 19, 2009 at 04:36:42PM -0400, Jeff Trawick wrote:
> Beyond the mod_authany question, why doesn't mod_ssl declare its check user
> id hook really-first if it can generate the basic auth? (Let the extremely
> limited number of modules which generate basic auth headers fight it out via
>
(cc'ing d...@apr since that's where the vformatter lives)
On Thu, Mar 05, 2009 at 12:54:13AM -0600, William Rowe wrote:
> Trying to come up with ways to process large entries without
> so much copying.
>
> My thought for 2.4 is to introduce an apr_vformatter code
> modifier, '#', into the s syntax
On Thu, Feb 19, 2009 at 10:00:50PM +0100, Ruediger Pluem wrote:
> On 02/19/2009 12:32 PM, Joe Orton wrote:
...
> > @@ -497,13 +500,17 @@
> > next = APR_BUCKET_NEXT(bucket);
> > }
> > bytes_in_brigade += bucket-&
On Wed, Feb 18, 2009 at 09:39:31PM +0100, Ruediger Pluem wrote:
> On 02/18/2009 11:16 AM, Joe Orton wrote:
> There is still a nasty issue with the trunk code that can cause you to
> run out of FD's as the new non blocking core output filter has some trouble
> setting aside the fi
On Mon, Feb 16, 2009 at 03:12:11PM +0100, Ruediger Pluem wrote:
> On 02/16/2009 02:13 PM, Joe Orton wrote:
> > Why is it invalid use of the filtering/buckets API to close the file
> > after sending the FILE-containing brigade up the filter stack?
> >
> > It seems c
On Mon, Feb 16, 2009 at 10:52:15PM +1100, Graham Dumpleton wrote:
> 2009/2/16 Joe Orton :
> > You say:
> >
> >> For me this is an issue as the file descriptor has been supplied from
> >> a special object returned by a higher level application and it would
> >
On Mon, Feb 16, 2009 at 12:34:26PM +0100, Ruediger Pluem wrote:
> On 02/16/2009 11:07 AM, Joe Orton wrote:
> > The call to:
> >
> > ap_save_brigade(f, &ctx->b, &b, ctx->deferred_write_pool);
> >
> > in that code path should result in
On Sat, Feb 14, 2009 at 10:25:08AM +1100, Graham Dumpleton wrote:
...
> What the end result of the code is, is that if you have a file bucket
> getting this far where length of file is less than 8000 and an EOS
> follows it, then the actual file bucket is held over rather than data
> being read and
On Tue, Feb 10, 2009 at 09:52:43AM -0500, Eric Covener wrote:
> On Tue, Feb 10, 2009 at 8:45 AM, Joe Orton wrote:
> > The AuthLDAPCharsetConfig directive allows server admins to do charset
> > conversion of the username passed in the HTTP auth headers.
> >
> > RFC 2
The AuthLDAPCharsetConfig directive allows server admins to do charset
conversion of the username passed in the HTTP auth headers.
RFC 2617 does not specify use of encoding non-ASCII usernames in the
{Proxy-},Authorization request headers; mod_authnz_ldap is guessing an
encoding based on any Ac
On Thu, Jan 22, 2009 at 04:09:25PM +1100, Gervase Markham wrote:
> Short version: I am hoping to find out what the problems are with the
> trunk version of TLS/SNI, how they can be fixed, and what the chances
> are of a backport to 2.2.
Making sure that mod_ssl's existing access control options wo
On Mon, Jan 12, 2009 at 12:03:31PM +0100, Rainer Jung wrote:
> On 12.01.2009 11:19, Rainer Jung wrote:
>> On 12.01.2009 10:04, Joe Orton wrote:
>>> Sending SIGTERM to the rotatelogs process and having the parent recycle
>>> it should have done that already, sure
On Sat, Jan 03, 2009 at 02:55:24PM +0100, Rainer Jung wrote:
> Most build variables for httpd are used via APACHE_SUBST, which means
> they get added to build/config_vars.mk.
>
> A) Where to define them?
>
>
> There are two places, were a lot of ariables are added via APA
On Sun, Jan 11, 2009 at 05:36:07PM -, rj...@apache.org wrote:
> Author: rjung
> Date: Sun Jan 11 09:36:07 2009
> New Revision: 733493
>
> URL: http://svn.apache.org/viewvc?rev=733493&view=rev
> Log:
> Allow to trigger rotatelogs log file rotation from
> using HUP and INT signals to the rotatel
On Thu, Jan 08, 2009 at 09:40:59PM -, cove...@apache.org wrote:
> Author: covener
> Date: Thu Jan 8 13:40:59 2009
> New Revision: 732832
>
> URL: http://svn.apache.org/viewvc?rev=732832&view=rev
> Log:
> Translate locally generated "100-Continue" message to
> ASCII on EBCDIC systems.
...
> --
On Wed, Jan 07, 2009 at 02:34:29PM -0500, Eric Covener wrote:
> On Fri, Dec 26, 2008 at 10:53 PM, wrote:
> > Author: niq
> > Date: Fri Dec 26 19:53:32 2008
> > New Revision: 729586
> >
> > URL: http://svn.apache.org/viewvc?rev=729586&view=rev
> > Log:
> > CGI: return 504 (Gateway timeout) rather
On Tue, Jan 06, 2009 at 12:10:25PM -0600, William Rowe wrote:
> Would folks comment on Nathan's, Joe's and Stefan's work on
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=42829
>
> and offer any comments on why this patch;
>
> https://issues.apache.org/bugzilla/attachment.cgi?id=22822
>
On Sat, Dec 27, 2008 at 01:12:24PM +, Nick Kew wrote:
> On 27 Dec 2008, at 09:52, Ruediger Pluem wrote:
>> On 12/27/2008 03:13 AM, n...@apache.org wrote:
>>> Author: niq
>>> Date: Fri Dec 26 18:13:47 2008
>>> New Revision: 729579
>>>
>>> URL: http://svn.apache.org/viewvc?rev=729579&view=rev
>>>
On Fri, Dec 12, 2008 at 02:41:14PM -0600, William Rowe wrote:
> jor...@apache.org wrote:
> > Author: jorton
> > Date: Fri Dec 12 12:20:40 2008
> > New Revision: 726109
> >
> > URL: http://svn.apache.org/viewvc?rev=726109&view=rev
> > Log:
> > mod_ssl: Make the size of the per-dir-reneg request-bod
On Fri, Dec 12, 2008 at 11:15:49AM -0800, Chris Darroch wrote:
> Joe Orton wrote:
>
>> Both modules look very neat! Are you going to commit them? I might
>> debate the naming of mod_shmap ;)
>
> Heh, thanks. I don't know, I hadn't really thought about com
On Tue, Dec 09, 2008 at 10:30:51AM -0800, Chris Darroch wrote:
> Joe Orton wrote:
>
>> * include/ap_socache.h: Use C++ safety wrappers, and rename ->delete
>> to ->remove since the former is a C++ reserved word.
>
> Thanks again for the socache refactoring! I&
typedef enum {
TOKEN_STRING,
TOKEN_RE,
TOKEN_AND,
} token_type_t;
} token_t;
} backref_t;
... all lack namespace-safety.
as do:
typedef const char *(*string_func_t)(request_rec*, const char*);
typedef int (*opt_func_t)(request_rec*, ap_parse_node_t*, string_func_t);
which are also u
On Fri, Dec 05, 2008 at 12:43:57AM -0800, Paul Querna wrote:
> Trunk is CTR, but I do want to make sure no one is completely opposed to
> pulling in mod_wombat.
+1, go for it. For the record, I'd be happy for lua to become a
mandatory or strongly-recommended dependency such that we could remov
On Thu, Dec 04, 2008 at 12:13:52PM +, Dr Stephen Henson wrote:
> At Joe's request I've posted the last comment here. It is in reference
> to bug #43822 which is OCSP Stapling support for mod_ssl:
Thanks for posting.
...
> The mutex code has been removed and some dummy functions to replace the
On Fri, Nov 07, 2008 at 01:29:15PM +0100, "Plüm, Rüdiger, VF-Group" wrote:
> > Would it be possible to substitute the backend ("fake") conn_rec's
> > ->bucket_alloc pointer with the "real" r->connection->bucket_alloc,
> > for the duration of the request/response to the backend? Wouldn't
> > tha
On Thu, Nov 06, 2008 at 09:58:52PM +0100, Ruediger Pluem wrote:
> What is the problem at all?
>
> mod_proxy_http uses a a conn_rec to communicate with the backend. It somehow
> reverses
> the meaning of input and output filters and uses them to send the request and
> receive
> the response. In o
On Wed, Oct 29, 2008 at 11:59:06AM -0700, Paul Querna wrote:
> Is COW ability of fork important enough with modern memory and operating
> systems, to maintain two significantly different code paths for spawning
> children processes?
I looked at a stock 2.2 install (x86_64) with most modules bu
On Tue, Oct 28, 2008 at 12:12:51AM -0700, Paul Querna wrote:
> I've added the Simple MPM to trunk:
> https://svn.apache.org/viewvc/httpd/httpd/trunk/server/mpm/simple/
Great!
> - The name. Someone suggest something better than "Simple".
I like naming projects by grepping the dictionary, and gre
On Thu, Aug 21, 2008 at 01:49:35PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
> > Given that the lifetime of the callbacks is now constrained, is the
> > new global pool still needed?
>
> Where does this patch use a global pool? It keeps a reference on the pconf
> pool in a global variable, but it n
On Wed, Aug 20, 2008 at 10:36:37AM -0400, Sander Temme wrote:
>
> On Aug 18, 2008, at 5:18 AM, Joe Orton wrote:
>
>> So generally pconf is the right pool to use, along with a cleanup
>> registered against that pool which sets the callbacks to NULL.
>
> Yes, with the
On Fri, Aug 15, 2008 at 06:33:21AM -0700, Sander Temme wrote:
>
> On Aug 15, 2008, at 12:48 AM, Plüm, Rüdiger, VF-Group wrote:
>
>> 1. Why creating a global pool for dynlockpool? Why can't this be a
>> subpool
>> of the pool passed to ssl_util_thread_setup?
>
> Because that's the pconf pool and
On Mon, Aug 11, 2008 at 08:20:40PM +0100, Joe Orton wrote:
> I think that something like this is the way to go: (against 2.2.x since
> my trunk install is currently refusing to do anything DAVy)
I committed a version of that with the logic, um, improved, as r685112,
and am +1 for backp
On Fri, Aug 08, 2008 at 09:42:01AM -0400, Jeff Trawick wrote:
> On Fri, Aug 8, 2008 at 5:28 AM, Joe Orton <[EMAIL PROTECTED]> wrote:
> > On Thu, Aug 07, 2008 at 03:12:00PM -, Jeff Trawick wrote:
> > > --- httpd/httpd/trunk/modules/dav/fs/repos.c (original)
> > &
On Thu, Aug 07, 2008 at 03:12:00PM -, Jeff Trawick wrote:
> --- httpd/httpd/trunk/modules/dav/fs/repos.c (original)
> +++ httpd/httpd/trunk/modules/dav/fs/repos.c Thu Aug 7 08:12:00 2008
> @@ -1475,10 +1475,8 @@
> /* append this file onto the path buffer (copy null term) */
>
On Sat, Jun 14, 2008 at 11:24:43PM +0200, Ruediger Pluem wrote:
> So the code before said that if port_getn returns -1 (== fails) we return
> APR_TIMEUP
> if the error is ETIME or EINTR and APR_EGENERAL.
> So IMHO the error message (in this IMHO the same) would have been shown with
> the old
> co
On Sat, May 31, 2008 at 12:00:55AM +0200, Ruediger Pluem wrote:
> On 05/30/2008 01:49 PM, [EMAIL PROTECTED] wrote:
>> URL: http://svn.apache.org/viewvc?rev=661666&view=rev
>> Log:
>> Prevent CSRF attacks against the balancer-manager (CVE-2007-6420)
...
>> @@ -619,6 +622,27 @@
>> }
>> }
>> +/
On Thu, Jun 05, 2008 at 07:25:30AM +0200, Kaspar Brand wrote:
> Joe Orton wrote:
> > http://svn.apache.org/viewvc?rev=662815&view=rev
> >
> > Changing the dirconf structure fields in-place seems ugly and may even
> > be thread-unsafe (not sure).
>
> Thanks
On Tue, Jun 03, 2008 at 04:42:07PM +0200, Kaspar Brand wrote:
> So, is there still hope for SNI being added in 2.2.9...? Let me know if
> there's anything else I can do to increase the chances of getting this
> proposal accepted.
http://svn.apache.org/viewvc?rev=662815&view=rev
Changing the dirco
On Thu, May 29, 2008 at 03:34:21PM -0700, Paul Querna wrote:
> Stefan Fritsch wrote:
>> https://issues.apache.org/bugzilla/attachment.cgi?id=21137 has been in
>> Debian testing and unstable for about 6 months without problems. It is not
>> an elegant solution but it works. Considering that is is
On Tue, Apr 22, 2008 at 06:27:26PM +0200, Dirk-Willem van Gulik wrote:
>
> On Apr 22, 2008, at 5:53 PM, Joe Orton wrote:
>> On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
>>> While I was testing revocation checking for client certs in an SNI
>>> config
On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
> While I was testing revocation checking for client certs in an SNI
> configuration (Dirk, many thanks for make_sni.sh, btw!), I came across a
> flaw in the current implementation when CRL information - i.e.
> SSLCARevocationFile/SSLCAR
On Wed, Apr 09, 2008 at 05:07:33PM +0200, Graham Leggett wrote:
> Joe Orton wrote:
>
>> I don't understand why *that* stuff needed to be in the core. It is
>> certainly possible to consume then reinject the request body, without
>> changing one line of core filte
On Wed, Apr 09, 2008 at 03:10:25PM +0200, Graham Leggett wrote:
> Roy T. Fielding wrote:
>
>> -1. Bloat like this belongs in a module.
>
> This piece of code depends on the KeptBodySize directive, which is part of
> the http_filter, and sits alongside ap_discard_request_body().
I don't understan
On Mon, Apr 07, 2008 at 06:34:55PM +0200, Graham Leggett wrote:
> Joe Orton wrote:
>
>> mod_session_cookie.c:59: warning: no previous prototype for
>> 'ap_session_cookie_save'
>
> I just checked for any unchecked in files, and found a change to
> Makefile.in
On Tue, Apr 08, 2008 at 02:22:36PM +0200, Graham Leggett wrote:
> [EMAIL PROTECTED] wrote:
>
>> Session cache interface redesign, Part 8:
>
> Is this stuff documented yet? (Or am I jumping the gun...?)
ap_socache.h is the only documentation; it should be reasonably clear
how to use a cache from t
Thanks for the detailed response and sorry for the slow reply ;)
On Thu, Mar 06, 2008 at 02:33:12PM -0800, Chris Darroch wrote:
> I was a little puzzled by the name "socache" because I assumed
> "so" meant "shared object", like mod_so, until I read the code comments.
> I wondered if it was true
The code on the trunk gives a bunch of warnings:
Building shared: mod_session.la mod_session_cookie.la mod_session_crypto.la
mod_session_dbd.la
mod_session_cookie.c:59: warning: no previous prototype for
'ap_session_cookie_save'
mod_session_cookie.c:108: warning: no previous prototype for
'ap_s
On Thu, Apr 03, 2008 at 09:51:09PM -, [EMAIL PROTECTED] wrote:
> Author: chrisd
> Date: Thu Apr 3 14:51:07 2008
> New Revision: 644525
>
> URL: http://svn.apache.org/viewvc?rev=644525&view=rev
> Log:
> Avoid calling access control hooks for internal requests with
> configurations which match
On Tue, Mar 11, 2008 at 03:39:22PM +0100, Plüm, Rüdiger, VF-Group wrote:
> > It occurred to me recently that it is relatively simple to prevent
> > "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by
> > generating a "secret" nonce at startup and requiring the presence of
> > tha
It occurred to me recently that it is relatively simple to prevent
"CSRF" attacks against the balancer-handler (see CVE-2007-6420), by
generating a "secret" nonce at startup and requiring the presence of
that secret in the submitted parameters.
Any objections?
Index: modules/proxy/mod_proxy_ba
On Wed, Mar 05, 2008 at 09:32:54AM +0100, Plüm, Rüdiger, VF-Group wrote:
> > > [Patch shows diffs relative to original ssl_scache_* for
> > the providers]
> >
> > Does it make sense to do this in a branch in subversion?
>
> Not sure if this is needed as Joe has already done a lot of the redesign
The cleanest and simplest way to extract the session cache providers
from mod_ssl seems to be like this:
1) define the provider vtable structure in a header, ap_socache.h
2) implement all the provider backends in separate modules,
mod_socache_*
There's no central registration of new backends r
On Tue, Feb 26, 2008 at 09:58:31PM +0100, Ruediger Pluem wrote:
> On 02/26/2008 05:57 PM, [EMAIL PROTECTED] wrote:
>> Author: jorton
>> Date: Tue Feb 26 08:57:56 2008
>> New Revision: 631297
>>
>> URL: http://svn.apache.org/viewvc?rev=631297&view=rev
>> Log:
>> Session cache interface redesign, Par
On Tue, Feb 26, 2008 at 04:51:40PM +, Dr Stephen Henson wrote:
> Well the current CRL strategy has a few problems. It ignores critical
> extensions but that's a separate issue...
I was looking at this recently; is it still true that mod_ssl has to do
so much of the CRL revocation checks for
701 - 800 of 1563 matches
Mail list logo